onyxia icon indicating copy to clipboard operation
onyxia copied to clipboard
verified publisher icon InseeFrLab

How to grant access to Group Project data buckets

Open daxid opened this issue 4 months ago • 2 comments

I defined a Group Project. Now members can see a bucket in their file explorer:

Image

However, they cannot access it (access denied):

Image

How can I grant access to project storage based on groups defined in Keycloak?

I tried to include the groups in the JWT for Minio, as I did for Onyxia to setup the groups in the first place, but it was not enough.

daxid avatar Sep 24 '25 14:09 daxid

You have to define permissions on your S3 provider (in your case minIO) so that the requests done by the user's browser are allowed by minIO. This is done fully externally from Onyxia. In the case of minIO you can either define policies based on user's groups menbership or use OPA (open policy agent)

olevitt avatar Sep 24 '25 14:09 olevitt

if you are using an sts policy, you can add for each group this kind of rules. We never find a way to have a dynamic rules for groups.

    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::${jwt:preferred_username}",
        "arn:aws:s3:::${jwt:preferred_username}/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::projet-abc",
        "arn:aws:s3:::projet-abc/*"
      ],
      "Condition": {
        "ForAnyValue:StringEquals": {
          "jwt:groups": [
            "abc"
          ]
        }
      }
    },

fcomte avatar Sep 24 '25 16:09 fcomte